With the rapid development of the Internet, IP networks are increasingly becoming an indispensable tool in people's daily work and life, and the demand for the security of data communication over IP networks is also becoming increasingly intensive. As is well known, IP networks are open networks, and data communication using IP networks without any safeguarding is not secure at all. To meet the demand for secure communication over IP networks, the IPSec (IP Security) working group of the Internet Engineering Task Force formulated a set of cryptography-based open network security protocols, collectively referred to as IPSec architecture. The IPSec protocols provide security services such as access control, connectionless data integrity, data privacy, data source authentication, anti-replay attack, automatic key management, etc.
At present, there are mainly two kinds of security processors for implementing network packet data encryption: one kind of security processors, such as the communication security processor of model MPC180 manufactured by Motorola Inc., only provide the function of data encryption operation per se, perform data communication with the outside world through an asynchronous data bus of 8-32 bits, and require an external processor to implement the IPSec protocols; the other kind of security processors, such as the communication security processor of model MPC190 manufactured by Motorola Inc., also only provide the function of data encryption operation per se, perform data communication with the outside world through a PCI bus, and also require an external processor to implement the IPSec protocols.
Since current network communication security processors can only perform the function of data encryption operations, and in implementing the IPSec protocols, the key needed and the algorithm to be used by the encryption operation have to be specified by the external host processor, thus the host processor has to be involved in the concrete encryption operation process, increasing the load on the host processor, enhancing the complexity of the system, augmenting the development difficulty and lowering the reliability of the system.
For a security processor performing data communication with the outside world through an asynchronous data bus, performing a read or write operation on a chip typically requires about 5 clock cycles, and this intrinsic deficiency of slow interface data transmission rate makes the chip unable to achieve a high data processing speed. For a security processor performing data communication with the outside world through a PCI bus, a high data communication speed appears to be achievable, but in practice this shared bus has low efficiency, especially when there are multiple PCI devices in the system, the use efficiency of the PCI bus will decrease greatly. This will lower the utilization of the security processor in practical use, and the data processing speed of the system is still not high. For a security processor employing a PCI interface, the system is required to provide a PCI interface, which reduces the flexibility of the system architecture.
Existing patent documents include: Chinese patent application No. 01107461.2, entitled “packet encryption chip and its high-speed data encryption and decryption method”, and U.S. Pat. No. 6,477,646, entitled “Security chip architecture and implementations for cryptography acceleration”.
There are the following deficiencies in the Chinese patent application No. 01107461.2: firstly, this patent uses a PCI bus interface to transmit data, and since a PCI bus is a shared bus, when there are multiple PCI interfaces in the system, the bus transmission efficiency must necessarily be low, and the interface data transmission rate is restricted; in addition, the network security processing system must be coupled electrically with the network application system through the PCI bus, which also restricts the composition of the network application system. Secondly, in the implementation of this patent, the implementation of the network security protocols from the negotiation of the network secure connection to the encryption and decryption of each data packet and the identity authentication processing must be participated in and controlled by the central processor, thus increasing the load on the host processor, enhancing the complexity of the system, augmenting the development difficulty and lowering the reliability of the system.
There are the following deficiencies in the U.S. Pat. No. 6,477,646: in this patent, the implementation of the network security protocols from the negotiation of the network secure connection to the encryption and decryption of each data packet and the identity authentication processing must be participated in and controlled by the central processor, thus increasing the load on the host processor, enhancing the complexity of the system, augmenting the development difficulty and lowering the reliability of the system.